Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
anarra
Staff
Staff

Created on ‎09-28-2023 10:16 PM Edited on ‎03-02-2026 10:10 PM By Community Manager

Article Id 276618

Technical Tip: Tier-1 MCLAG-ICL setup and troubleshooting guide

Description

 

This article describes how to set up Tier-1 MCLAG-ICL and how to troubleshoot it in managed FortiSwitches after version 7.x.x.

 

Scope

 

FortiSwitch, setup steps from MCLAG-ICL configurations and troubleshooting. 

 

Solution

 

Configure FortiLink on FortiGate.

 

Step 1: Enable FortiLink and authorize FortiSwitch.

  1. Go to Wifi & Switch-controller in the FortiLink Interface on the FortiGate GUI.
  2. Configure the FortiLink interface by adding the FortiGate port connected to FortiLink (for enabling FortiLink on any aggregate interface, it can only be done on FortiGate CLI, with 'set enable fortilink' under system interface).

 

anarra_0-1695938401891.png

 

  1. Set NTP to be local under DHCP on FortiLink.
  2. Once the FortiSwitch is discovered, authorize the FSW1 under Wifi & Switch-controller and managed FortiSwitches in the FortiGate GUI:

 

anarra_1-1695938401893.png

 

  1. Verify FortiSwitch is up and connected.

 

anarra_2-1695938401894.png

 

  1. Connect the second FortiSwitch (FSW-2) to the first FortiSwitch (FSW-1) and authorize:

 

anarra_3-1695938401895.png

 

  1. Once both FortiSwitches are online, connect to the CLI on FortiGate and set lldp-profile to 'default-auto-mclag-icl'. This profile needs to be set on the ports that are connected only between the FortiSwitches:


anarra_4-1695938401902.png

 

  1. Disable the 'FortiLink split interface' on the FortiLink interface.
  2. Connect the second cable from FortiGate to FSW-2 and add the port on the FortiGate under the FortiLink interface.

 

anarra_5-1695938401904.png

 

  • FortiLink will take about 1-3 minutes and will be from MCLAG-ICL with both the FortiSwitches.
  • Lastly, connect a 3rd FortiSwitch to the existing Peer group.

 

anarra_6-1695938401907.png

 

Troubleshooting FortiLink and MCLAG issues.

 

If FortiSwitch is not up, verify the setting below:

 

In the FortiGate CLI:

 

execute switch-controller get-conn-status <----- Should show authorized/up and should have an IP address from the FortiLink interface.

 

execute switch-controller diagnose-connection <serial_number> <----- Check for any warnings in this output.

 

In the FortiSwitch CLI:

 

get sys interface <----- IP Address should be assigned on the internal interface from FortiLink interface IP.
diagnose switch trunk summary <----- Trunk should be formed with the uplink port.

 

If the trunk is not forming, check below:

 

Before version v7.2.0:

 

config switch global
    set switch-mgmt-mode fortilink
end

 

After version v7.2.0:

 

config switch auto-network
    set mgmt-vlan 4094
    set status enable
end

config switch physical-port
    edit port<>
        set lldp-profile default-auto-isl    <----- LLDP profile needs to be set.
end

diagnose sys ntp status <----- Should be reachable and in sync with FortiLink IP address.
get sys status <----- Time needs to be in sync.

 

  • Check that FortiSwitch and FortiGate versions are compatible.
  • If the uplink ports are SFP ports, check if compatible transceivers are used.
  • Reboot FortiGate and FortiSwitch.

 

If the switch is still not coming up after performing the checks above, reach out to Technical Support with the output of the following from the FortiGate CLI.

 

  • FortiGate CLI:

 

execute switch-controller get-conn-status

exe switch-controller diagnose-connection

get sys status

execute switch-controller get-physical-conn standard

 

FSwitch.png

 

  • FortiSwitch CLI:

 

diagnose debug report

show full

 

If MCLAG-ICL is not forming or flapping on the FortiSwitches, check the following:

 

diagnose switch trunk summary <----- Make sure the trunk is up.

diagnose switch mclag peer-consistency-check <----- All inconsistencies need to be cleared.

diagnose switch mclag icl <----- The correct peer port should be visible.

 

anarra_7-1695938401909.png

 

anarra_8-1695938401911.png

 

diagnose switch physical-port linerate <portno> <----- Make sure Rx and Tx are passing on the port.

diagnose stp instance list<----- Check for TCN events and any loops.

 

If peer FortiSwitches are still not up, reach out to Technical Support with the output of the above commands.

 

If the MCLAG peer consistency check shows a MISMATCH on the switch interface as follows:

 

 ** Comparing "switch.interface" config ....MISMATCH

IGMP-snooping-flood-report <--

IGMP-snooping-flood-traffic <--

 

Check that the mcast-snooping-flood-traffic and igmp-snooping-flood-reports settings must be enabled on ICL trunks on both peers of MCLAG. This configuration is made on the trunk negotiated. This is documented on MCLAG requirements.

 

Example:

 

config switch interface

    edit "_FlInK1_ICL0_"

        set igmp-snooping-flood-reports enable

        set mcast-snooping-flood-traffic enable

    next

end

 

Notes:

  1. Both MCLAG Peer switches need to be of the same model and the same version.
  2. Only FortiSwitches above the FS-2XX series will support it. FS-1XX does not support MCLAG.
  3. Do not try to have more than 2 FortiSwitches in one MCLAG Peer group.
33169
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.